How realistic are the phishing emails?

Our red team crafts campaign-specific lures using OSINT from your organization - not generic templates. Emails replicate real threat actor techniques including domain spoofing, brand impersonation and contextual pretexting drawn from publicly available information about your company and employees.

Will employees know it's a test?

No. Campaigns are designed to be indistinguishable from real attacks. Only designated stakeholders are informed. This ensures accurate measurement of your organization's actual susceptibility to social engineering.

How long does a campaign take?

Typical campaigns run 2-4 weeks. Results begin within 24 hours of launch. Campaign duration depends on scope and number of targets.

What metrics do you track?

Click rates, credential submission rates, reporting rates, department breakdown, time-to-click and repeat offenders. All metrics are delivered in an executive report with AI-driven analysis and benchmarking against industry averages.

Do you provide training after?

Yes. Every engagement includes targeted awareness training recommendations based on campaign results, plus optional automated training integration. We identify high-risk departments and individuals for focused remediation.

Social Engineering

Phishing Campaigns

Your firewall doesn't stop someone clicking a link. We prove it.

Phishing simulation testing is an authorized social engineering assessment that measures employee susceptibility to deceptive emails. Sherlock Forensics delivers AI-powered email phishing campaigns in Vancouver and across British Columbia, partnered with BaitAndPhish.com for thousands of battle-tested templates plus custom AI-generated lures, OSINT-driven targeting and real-time analytics.

Over 90% of breaches start with social engineering. Our red team designs realistic, AI-driven email phishing campaigns - powered by BaitAndPhish.com with thousands of battle-tested templates plus custom AI-generated lures - then delivers actionable metrics so you know exactly where your organization is vulnerable and how to fix it.

90% Breaches from social engineering

AI Campaign intelligence

24hr First results

Order Online All Services

Capabilities

Phishing & Social Engineering Services

01 - Email

Email Phishing

Realistic phishing emails crafted by our red team - not generic templates. Industry-specific lures built from OSINT reconnaissance of your organization, supply chain and communication patterns.

02 - Spear

Spear Phishing

Targeted attacks against executives, finance and IT personnel. OSINT-driven personalization using publicly available data to craft highly convincing, role-specific pretexts that mirror real threat actor tradecraft.

03 - AI

AI-Powered Campaigns

AI-generated lures that adapt to your industry and organizational context, combined with thousands of battle-tested templates from our BaitAndPhish.com platform. Automated targeting, intelligent scheduling and AI-driven analysis for maximum campaign effectiveness.

04 - Ongoing

Ongoing Programs

Quarterly or monthly recurring campaigns that track improvement over time. Benchmark your organization against industry averages, identify repeat offenders and measure the ROI of your security awareness investment.

Process

How It Works

01 - Scope & Targeting: Define target groups, campaign scope and objectives with your stakeholders.
02 - Campaign Design: OSINT reconnaissance and AI-powered template generation. Lures tailored to your industry and internal communications.
03 - Execution: Phishing emails deployed on schedule from thousands of proven templates and custom AI-generated lures. Real-time monitoring of campaign delivery and engagement.
04 - Tracking: Click rates, credential submissions, reporting rates and time-to-click captured with AI-driven analytics.
05 - Report: Executive summary, department-level breakdown, repeat offender identification and industry benchmarking.
06 - Training Recommendations: Targeted awareness training for high-risk groups. Optional automated training integration for repeat offenders.

Compliance

Phishing Testing & Compliance

Framework	Requirement	How Phishing Testing Helps
PCI DSS	Requirement 12.6 - Security awareness program	We help clients complete PCI SAQ audits and validate security awareness training effectiveness through simulated phishing attacks
General Frameworks	Security awareness requirements across SOC 2, ISO 27001, NIST and other frameworks	Phishing testing supports security awareness requirements common to most compliance frameworks by providing measurable evidence of employee resilience

Frequently Asked Questions

Phishing Campaign FAQs

How realistic are the phishing emails?: Our red team crafts campaign-specific lures using OSINT from your organization - not generic templates. Emails replicate real threat actor techniques including domain spoofing, brand impersonation and contextual pretexting drawn from publicly available information about your company and employees.
Will employees know it's a test?: No. Campaigns are designed to be indistinguishable from real attacks. Only designated stakeholders are informed. This ensures accurate measurement of your organization's actual susceptibility to social engineering.
How long does a campaign take?: Typical campaigns run 2-4 weeks. Results begin within 24 hours of launch. Campaign duration depends on scope and number of targets.
What metrics do you track?: Click rates, credential submission rates, reporting rates, department breakdown, time-to-click and repeat offenders. All metrics are delivered in an executive report with AI-driven analysis and benchmarking against industry averages.
Do you provide training after?: Yes. Every engagement includes targeted awareness training recommendations based on campaign results, plus optional automated training integration. We identify high-risk departments and individuals for focused remediation.

Authority Resources

Standards & References

Phishing Guidance

Related Services

Certifications

Our social engineering team holds recognized certifications.

CISSP

How to Prepare for a Security Audit

A practical guide to gathering documentation, scoping and preparing your team for a security assessment.

AI Startup Security Audit

Pre-funding security assessments for AI startups covering model APIs, data pipelines and infrastructure hardening.

Free Security Checklist

A downloadable checklist covering the baseline security controls every organization should have in place.

Get Started

Ready to test your people?

Order a phishing campaign online - no meetings required.

Order Online

Scope Your Phishing Campaign

Whether you need a one-time assessment or an ongoing program, we will design a campaign that measures your organization's real-world susceptibility to social engineering and delivers the metrics you need for compliance and improvement.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Typical Timeline: 2-4 weeks from scoping to final report